Response from Keir Starmer

I recently wrote to Keir Starmer with the aim of trying to get Labour to seek an extension to the transition period. They have rather predictably refused to do so. The full text of the email has been included below:

Dear Patrick, 

Thank you for your email to Keir Starmer MP in relation to Britain’s withdrawal from the E.U. At this point in time, Keir’s mailbag is so full that he has asked me to respond on his behalf. I’m very sorry for the delay in getting back to you.

Your views and assertions have been noted and shared with the relevant team.

The UK has left the European Union and Labour wants the best possible deal for this country. Negotiations on our future relationship with the EU have continued through the coronavirus crisis. The Tories have said they will still get a deal by the end of the year. It is their responsibility to do that.  

The first test for them will be the planned summit in June at which both sides will determine whether “sufficient” progress has been made to secure agreement by December. Number 10 has rightly focused its energies on fighting the coronavirus but it is of great concern that negotiations have been reduced in scale while negotiators have so far failed to make any significant progress.  

The Tories have said that they have a mandate to ‘Get Brexit Done’, so the deal should at the very least deliver on the promises they made at the last election in the Conservative Party’s 2019 manifesto, which said “we have a great new deal that is ready to go”.  

That is the minimum against which Labour will hold the Government accountable in these negotiations. The Government has a responsibility to protect jobs, protect our food and medical supplies and protect our citizens’ safety and security. Now is not the time to put those things at risk.  

Coronavirus will have a huge economic impact. There are devastating predictions of job losses in the UK. We must not make that situation worse with tariffs and barriers to trade with our biggest market.  

The UK has left the European Union. Labour wants the best possible deal for this country, which should: 

·         Protect jobs and the economy through trade deals for goods and services which minimise disruption to business.  

·         Maintain the security of the UK by retaining existing co-operation as far as possible.  

·         Respect the Good Friday Agreement in line with the Northern Ireland Protocol.  

·         Enable continued collaboration in areas of mutual benefit, such as health and research.  

Labour has argued that deal should be based on a close economic relationship and alignment on protections for workers, consumers and the environment.  

Our policy is made democratically, through discussion and consultation with members, the public, businesses, experts and civil society groups. You can take part in the conversation online at Join discussions with politicians and representatives from across the Labour Party and share your ideas with us, so that when the time comes – we can serve our country again in government. 

Best wishes, 


Membership Services and Correspondence 

The Labour Party

3UK and Rainbow

Some of you may recall the trials 3UK ran last year of systems provided by Shine. These trials were supposed to test systems aimed at blocking adverts at the network level. The problem though was that this required both the interception and sharing of personal and private communications of those using 3UK’s network. To do so without proper consent would be a criminal offence under s1(1) of RIPA as confirmed by IoCCO when I enquired about it.

I had previously asked the ICO about the nature of consent gained by 3UK during the trials. The response was far from reassuring, with the vast majority of communications withheld because of their commercially sensitive nature. This wasn’t entirely surprising, but it was nevertheless disappointing.

Now it seems that Shine have been rebranded as Rainbow and 3UK plan to go ahead with the use of their services, only now Rainbow seems to have dropped any pretence when it comes to their intentions: the service is no longer aimed at blocking adverts or helpers consumers but rather the exploitation (monetisation?) of their private communications passing over 3UK’s network.

The BBC article linked to in this post notes that the service is free for advertisers and consumers alike, but what about the networks? How much are they being paid by Rainbow to hand over the data?

More importantly what about consent?

Rainbow are providing systems that require data gained from the telecoms networks in order to function. This means that private communications still presumably need to be intercepted. Without said interception it’s likely their services simply would not work, nor would Rainbow gain all that valuable data.

3UK may try to argue that the data being provided to Rainbow has been anonymised or had identifiable details removed through other means. In my opinion this ought to be irrelevant; 3UK would still have presumably intercepted private communications, possibly without appropriate consent, and subsequently processed that private data for purposes that may well not have the consent of the customers. The systems provided by Rainbow are also not required to provide me with my phone and mobile internet services.

Given the response from IoCCO such interception without consent that would appear to be illegal, regardless of how that data was presented to 3rd parties or subsequently used. There is also the Data Protection Act to consider given that personal data is being processed for questionable purposes. Most worryingly of all there is currently no indication what consent 3UK will ask for from customers, how they will ask for it and certainly no guarantees that their communications won’t still be shared with Rainbow if they choose to deny consent.

I’ve asked the ICO to re-consider the refusal to release all correspondence between it and 3UK and/or Shine (now Rainbow) since their plans go beyond a mere trial and will affect their entire customer base. There is also a clear argument to be made that the public interest in releasing the information exceeds the commercial sensitivity of the responses previously provided to the ICO. I have also asked the ICO if they could look into this matter given the apparent threat to privacy that 3UKs plans represent.

This blog post will be updated if and when I get a response.

Write to your MP over Brexit

Don’t like where the country is heading when it comes to Brexit? Then why not write to your MP and let them know how you feel. It can’t be easier: all you need is your postcode. Enter it on the website to find your MP and write them an email using the form they provide.

I did so myself recently, and can’t recommend it strongly enough.

Dear Phillip Lee,

Please read this and explain why you’re still willing to play your part in putting the future of this country at risk? ken=zwAAAVnwCZkwkdP952Fq5s8R5tOWe8iEUiY9rw.MEUCIAX1dHriKnlO-KMJn9rmIyLX9k kmdUndqfa_75xri4-FAiEAukNHmHLgDeIR2HHVKn3WDzNBqcUVAZj7MWFxJk-uTZE&sharetype =gift

The referendum was only won in the first place thanks to the lies that were told by the leave campaign, including the now infamous £350 million claim plastered on the side of a bus.

I’ve spent time in hospital attending various clinics and I’ve overheard conversations where some clearly felt betrayed when they had voted so that the NHS would be better funded. How much more betrayed do you think they will end up feeling when you follow a course of action that will end up with the destruction of the very thing they wanted protected?

The Vote Leave camp may try and repudiate the claims after the fact but it may well have been what won them the referendum, especially given the razor thin majority they had and that almost half of the voters voted to remain.

I might also add that the timeline was never something included in the referendum. The March deadline put forward by Theresa May is an entirely self-imposed limitation that was proposed without any discussion or agreement with the wider public. We never agreed to give the PM carte blanche to do whatever she wants, and in that respect MPs still have a job to do.

We may have to leave the EU, but there is nothing that says you have to unquestionably follow the path laid out by the PM, and I don’t think it’s unreasonable to expect you to stand up in defence of public services and against blindly starting courses of action that will lead to their obliteration.

Yours sincerely,

Patrick Seurre

Three are up to their old games again

It seems Three UK have reverted to their old tactic of assuming they can bend the rules to breaking point. Many of you will already be aware of the trials run by Three recently with regards to the ad-blocking systems provided by Israeli company Shine. Particular attention should be paid to the following paragraph:

The method by which Shine blocks ads at the network level is unclear. The company says it uses “machines” that are capable of performing deep packet inspection (DPI) inside the network. Using a mixture of “real-time analysis, artificial intelligence and algorithms,” the team is able to identify ads and stop them without breaking the original webpage or app.

Emphasis was added by me. The first point is quite important, since it implies that traffic is being intercepted and processed in such a way that would require consent from both the sender and recipient under RIPA s3(1), since there is no warrant issued for the interception. s3(1) can be found here.

3 Lawful interception without an interception warrant.


(1)Conduct by any person consisting in the interception of a communication is authorised by this section if the communication is one which is both—

(a)a communication sent by a person who has consented to the interception; and

(b)a communication the intended recipient of which has so consented.

This is not an either-or situation. Consent is required from BOTH sender AND the recipient. Three have obtained consent from their customers but they represent only one party to the communication. It should also be noted that whilst the British government fought tooth and nail to keep implied consent within RIPA it was nonetheless removed from RIPA after legal proceedings had been initiated by the EU commission. Implied consent has not been in RIPA since 2011.

Leaving aside for a moment the questionable priorities shown by the government in their dealings with the EU commission on this matter, it should also be noted that the telecoms companies themselves cannot be trusted. Filtering is not a new thing and has been used in the past in order to prevent children from accessing inappropriate material (a course of action that was of course doomed to failure from the start).

As a Three customer myself I faced a large hurdle in removing a filter that I had neither requested nor wanted. Repeated requests to get rid of this filter changed nothing: the filter was left switched on. I was told I could go into the shop to get it switched off. I was naïve enough to believe this might work so this was tried too. Unfortunately for me however the employees in the shops showed no willingness whatsoever to even try and help me. I was turned away with no help being given, and a strong sense that they only cared about selling to new customers and cared nothing for existing customers.

In any case the Three filter also relied upon systems provided by Bluecoat.

There have been cases in the past where services provided by Bluecoat didn’t seem to work as most people would expect. Web usage was being shared with them and they subsequently visited the site as part of the filter. Again this raises other questions regarding privacy but these too will have to be left for the time being. The important point is this: when it came to other telecoms providers were concerned even when the adult filter was switched off the sharing often still continued.

I’m also a webmaster too, and would never consent to this type of interception, but then I’m never asked. I assume Three know that most webmasters would equally not allow such interception to occur, which is why they try and ignore the need to ask in the first place. I also have zero confidence in Three running their systems acceptably. Even if they did somehow managed to do so – something they have failed to do in the past – then they have still failed to outline exactly what’s happening to customers.

I sent a request to the ICO requesting details on their conversations between them and Three and/or Shine or internal conversations regarding the Shine trials. This request and the outcome can be found here. You’ll note how entire pages have been redacted from part of the response – evidently the ICO has been taking lessons from the US government when it comes to redaction. The level of secrecy surrounding their conversations with the company is also quite revealing. However the most interesting part is that the ICO themselves appear to recognise that these trials are not without unanswered questions.

ICO response

The response also indicates that there may also be problems under RIPA too. Since this is presumably the province of IoCCO I decided to send them an email too outlining my concerns. That particular complaint is still being investigated.

There is still the second point from the article to consider, and that is their assertion that adverts can be removed without breaking the website or app. This strongly suggests that content is not only being intercepted it’s also being modified before being sent on. This is an unacceptable state of affairs and represents arrogance of the highest order on Three’s part.

In any case the message is clear in my opinion: if you care about your privacy then avoid Three.

Freedom of Information, Treaties & National Security

A draft copy of a report by Sir Nigel Sheinwald recently came to public attention. This report dealt with data sharing and called for new treaties to force corporations to cooperate with government demands for access to data.

This could, as the Guardian have already pointed out that it could be used to provide an alternative to the other main proposal (commonly referred to as the ‘snoopers charter’). Unfortunately the government chose to classify the document as top secret. This decision was apparently based on the presence of commercially sensitive information in the report. Such information could, however, been redacted from any published version of the report and the presence of such information should not have prevented publication nor require the document to be classified in any way.

As a concerned citizen worried what about the impact such agreements could have on me I asked for a copy of the report. The Cabinet Office replied reasonably promptly, although to my dismay they chose to deny access and claimed that since the information was already in the public domain they had no obligation to release the information again (s.21 of the FoIA). There was one problem with that conclusion however: the information that was in the public domain wasn’t the report that I had requested but rather only a summary of the report.

A summary is not sufficient in my view especially when it involves fulfilling requests made under the Freedom of Information Act. Details could be added, removed or entirely misrepresented (either by accident or otherwise).

Those of you that follow Freedom of Information related news may already know that this isn’t the first time that summaries have been used in response to such requests. The government tried a similar tactic over recent years with access to MP expense receipts. The summaries were seen as insufficient, and appeals were made first to the ICO and then subsequently the tribunal. In both cases they sided with the reporter trying to gain access to these documents, but IPSA made the misguided and ultimately futile attempt to challenge all of these appeals. Luckily for both the reporter and the wider general public even the court of appeal agreed with the requester, the ICO and even the tribunal.

I was already aware of all of this at the time of making my request, and I must confess that the way in which they seemed to be playing games with public access to documents annoyed me.

They may want to maintain tight control over how information is presented, but once you take this out of the equation there is only one reason that comes to mind for using summaries: any such release of the full report would make the level of redaction clear to the general public. The contempt that the government has shown to the public and to the Freedom of Information Act in general would be laid bare in the large chunks of redacted text in anything they choose to release. The end result of this would be questions being raised over the validity of the use of s.23 and s.24.

They seemed to be making an effort to appear transparent whilst at the same time failing to comply with the request. I therefore decided to ask for an internal review.

They refused access again, although this time they changed their minds: now they decided to use s.23 and s.24 of the act to refuse access.

S.23 is an absolute exemption. This means that information can be refused without first having to consider any public interest argument against withholding the information. The problem I have with this argument is that the reason for using s.23 isn’t entirely clear given the subject matter of the report. This is a report involving corporations & data sharing and unless the report contains detailed examples that include details involving specific operations or the internal structure of said organisations then I fail to see how s.23 could apply here. Even if it did it should not be so difficult to release a copy of the report with any such sensitive detail redacted from it.

Personally I suspect they are using s.23 not to protect the work of government agencies, but to protect development of policies that they have already decided are the way forward, regardless of the impact they may have. I’m also left wondering if the use of s.21 in the initial response and s.23 in the internal review was an attempt to sidestep the public interest test normally applied to more appropriate exemptions such as s.35.

It should also be noted that at no stage have the Cabinet Office attempted to use s.35 to refuse my request in this case, and have relied purely on s.23 and s.24 after apparently realising that relying upon s.21 was a mistake.

In addition the use of s.24 seems to be questionable, since the result of the internal review seemed to suggest that the information protected by s.24 was distinct from the part of the report protected under s.23 and this in turn raises other questions. Apart from anything else, just what are they protecting?

It’s difficult for me to get rid of the impression that they’re using circular logic: they initially classified the report as top secret because ‘national security’, only now I wouldn’t be surprised if the use of s.24 was based on the fact that it has previously been classified. So we could have ended up with a situation where the report has been classified because of national security, and it relates to national security because it’s been classified. It’s an endless loop with no way out.

As others in the media have pointed out it’s widely believed that the report contains commercially sensitive information.

I hope that the Cabinet Office isn’t using s.24 when all that has been protected are commercial interests, or merely because they’ve arbitrarily decided to block access. That really would be appalling and serious abuse of the levels of secrecy only available to them and other parts of government.

It’s impossible to have any reasonable debate about something if you can’t understand it, and you can’t understand it if information is withheld like this. How are we, as members of the public, supposed to have faith in the legal system when the reasoning behind any changes is being withheld from us like this?

For that matter why should we trust them with such powers given the abuses by local authorities in the past? Legislation intended to help catch terrorists has already been abused to check on such ‘serious’ crimes as applying for school places outside their catchment areas and people not clearing up when the mess left by their dogs or littering.

In my opinion – whatever that may be worth – the sheer insanity that plans such as this represents coupled with other failings, notably the OPM hack in the US, significantly strengthens the public interest argument for releasing the report. Any new data sharing treaty is likely to work in both directions, and in many cases to the detriment of UK citizens (as they often seem to do in the case of extradition treaties). The end result is that whilst the UK will be able to demand cooperation from other countries, those other countries will also be able to demand that same level of cooperation from us.

The lack of rights for foreigners in other countries – or lack thereof – is a huge concern, especially since some of them have been found to share unfiltered data with yet more countries. This means that anything even remotely personal shared with those 3rd parties could end up in the hands of states not bound by any treaty that the UK has signed. Assurances such as Safe Harbour, Mutual Legal Assistance Treaties and other mechanisms intended to control access are meaningless here (not that Safe Harbour has a promising future at this stage).

If you need any evidence of this then just look at Microsoft trying to prevent US access to servers in Ireland, despite the US having established a Mutual Legal Assistance Treaty with Ireland, large corporations in the US pushing for CISA to be passed into law or the very Safe Harbour framework relied upon by those same US corporations being called into question.

The government here is being naive if it truly believes that our data is protected in any meaningful way once it leaves their control.

In any case an appeal has been lodged with the ICO. It will be interesting to see what the outcome is. I would hope that the ICO would at least agree with me that a summary is not an appropriate response to an FoIA request in such cases.

UPDATE: The CJEU has ruled against safe harbour (or harbor). This means that companies exporting data to the US from the EU cannot now rely upon it. It might also be worth adding that all other mechanisms for legalising export of data to the US – including BCRs – suffer from the same issue that resulted in safe harbour being struck down, so it will be interesting to see how regulators such as the ICO respond to recent developments.

Freedom of Information & the Private Sector

Anybody who knows me will know I’ve made a number of FoIA requests over time. It’s a valuable tool and deserves protection from interfering politicians that would prefer to be able to hide anything they would rather people didn’t think about.

Those reading this that also happen to be living in the vicinity of Heathrow will have noticed more aircraft noise over recent months. From Epsom to Bracknell and Ascot the stories often end up being the same: more noise and disruption from aircraft passing overhead or nearby. I’m one such person having to put up with more aircraft, and since I had enough of the noise I tried getting information out of NATS via an FoI request.

Imagine my surprise when I found out NATS weren’t subject to it, despite the fundamental role they play in running our transport infrastructure.

First a little background to the whole matter:

In 2014 Heathrow conducted trials. These trials involved changing the flight paths taken by aircraft going to and from Heathrow. This rather understandably prompted floods of complaints thanks the the huge disruption this caused to anybody living under the new flight paths. The discontent that resulted from the trials helped to bring about an earlier end to them than had originally been planned. The management had obviously not foreseen the furore the trials would cause and were forced to stop them.

The problems didn’t stop with the end of the trials though, since people kept on claiming that there was more noise. Time and time again Heathrow claimed that no changes had been made. The continual denials from Heathrow weren’t particularly believable, since anybody living in the area could tell quite easily that there was a difference. In addition NATS admitted recently to having failed to notify Heathrow of a change to one of the departure routes taken by aircraft when leaving Heathrow (referred to as the Compton route).

Personally speaking I find it difficult to accept that proper procedure has been followed in the case of the Compton route change, and if it has been followed then that raises more questions about the procedures themselves. NATS are forcing planes to fly in a different direction yet somehow according to them this rather confusingly was not a route change. I can understand why they might want to avoid describing it as such, since this would presumably require additional consultation and delay.

This does not, however, necessarily stop it from being a route change.

To make matters worse NATS not only swept the fact that any change had taken place under the metaphorical carpet, but they also made the change during the flight path trial being conducted by Heathrow (how this doesn’t invalidate the entire trial as a result of such ham-fisted behaviour by NATS really is beyond me).

On top of continual [incorrect] denials by Heathrow came the bloody minded refusal by NATS to revert the changes when people started pointing out the impact it was having. Any request to consider going back to the old way of handling this route was welcomed with blanket refusals claiming it was done for reasons of safety (without if I recall correctly mentioning how safety had been improved, what risks had been mitigated or why – if there were such risks – they weren’t dealt with earlier).

In any case I strongly believe that any private sector organisation running services on behalf of the government ought to be subject to the Freedom of Information Act. This doesn’t apply to just NATS but all private sector organisations providing services to national or local government.

Private sector organisations such as NATS have a vital role to play but it’s equally vital that the public are in a position to know that the responsibilities entrusted to the private sector are being dealt with in an acceptable fashion. This can’t be achieved if said organisations are being run in an opaque way where only vague excuses need be given for decisions without any further consequences or additional oversight taking place.

I have started a petition on the No. 10 website asking for this to be changed. For some reason the confirmation page doesn’t contain the text of the petition (the people running the No. 10 website naively assume that nobody will ever change the text of the email they expect to be forwarded to trick people into sponsoring a petition).

UPDATE: The petition has now gone live, and can be accessed via the link below:

Amazon spamming customers and ICO apparently can’t help

Recently I started getting spam from Amazon involving ‘local deals’. These were unwanted so I subsequently reported them to spamcop. Now I’ve started getting more spam for travel offers too. Given how unhappy I was at being spammed by an organisation as big as Amazon I started looking into what my rights were.

It seems that consent is required prior to sending. There is an exception however: the current rules for marketing allow for the possibility of a ‘soft opt in’. This basically means that consent need not be given if the following conditions have been met:

• where they’ve obtained a person’s details in the course of a sale or negotiations for a sale of a product or service;
• where the messages are only marketing similar products or services; and
• where the person is given a simple opportunity to refuse marketing when their details are collected, and if they don’t opt out at this point, are given a simple way to do so in future messages.

The page on the ICO that goes into detail can be found here.

The first and third conditions have been met. I have bought items from Amazon before and there is an unsubscribe link. The second condition on the other hand has not been met. I have not looked for nor bought local offers or travel deals. However when I complained about this to the ICO they made it clear that they were not going to do anything about this (the full reply can be found below).

It would seem that the only thing you need to do when breaking the law is make sure your head office is outside the UK. You can have offices in the UK, huge warehouses in the UK, thousands of employees in the UK, services aimed purely at UK customers (not to mention take BILLIONS each year from those same customers in sales) but still not be subject to UK law for activities involving UK customers.

And why should any UK citizen dealing with services provided in the UK have to know how things work in other EU member states, especially when they might not even be understood let alone have any complaint successfully dealt with? How many languages exist in the EU and how many should we have to know just to make sure our rights are respected? How many regulatory systems do we have to learn?

This really is a ridiculous situation to be in.

This was the response they gave me (kudos for the ICO for at least replying so quickly)

Dear Sir

Thank you for your email of 20 July.

In your email you explain that you have been receiving marketing emails from Amazon. As these marketing emails contain offers that relate to totally different goods and services from the items you bought, you believe that Amazon have not complied with the soft opt in from the Privacy and Electronic Communications Regulations. You would like to know what we can do in this situation.

As far as data protection law in concerned Amazon is based in Luxembourg. They do have a London office but they are only processing personal data on the instruction of the Luxembourg offices and as such can only work to their instruction. This means that we can’t investigate the concerns you have explained in your email.

These concerns can be looked at by the Luxembourg Authority whose contact details are:

Commission nationale pour la protection des données
1, avenue du Rock’n’Roll
L-4361 Esch-sur-Alzette
Tel. +352 2610 60 1
Fax +352 2610 60 29

I appreciate that this isn’t the response that you were hoping for but I hope the information is helpful. If you would like to discuss this further please call me directly on [removed] or you can call our Helpline on 0303 123 1113.

As others have noted elsewhere it’s interesting how the ICO seem to want to switch from PECR to the DPA.

Recursive censoring?

Most people will be familiar by now with the story regarding Leon Brittan and the paedophile dossier as well as Google censoring certain results after legal demands had been made (for more details on the story click here).

Now it seems things are getting a little stranger. Not only is Google apparently censoring results but pages are also disappearing from media organisations too. Virtually none of the mainstream press have covered this story but the one that has – The Daily Telegraph – appears to have decided to remove the article in question. Searching for ‘Leon Brittan PIE’ in google gets me this:


You’ll note that the second to last link refers to a Daily Telegraph article. Clicking on the link however just gives me a ‘missing page’ message from the Telegraph website. For those of you that are interested the URL that the hyperlink uses is this:


So now it seems that the fact that the censoring is going on is now itself being censored.

The ICO: as useful as a chocolate teapot?

The ICO deals with two main areas of responsibility: dealing with appeals in regards to Freedom of Information requests and any issues connected with the Data Protection Act. Personally speaking I do have a degree of respect for the ICO when it comes to how they deal with matters pertaining to Freedom of Information. I might not always agree with their conclusions but it’s easy to see that some thought have normally gone into them. Data protection is, however, a different matter. Getting them to do anything seems to be up uphill struggle and often next to impossible. A good demonstration of this would be my recent complaint to them in regards to a form apparently set up on Tom Watson’s behalf.

Many of you will be aware of the plan for a free copy of the Sun to be delivered to each home in England – Liverpool excepted. A lot of you will also be aware of Labour MP Tom Watson’s idea that people should be given the opportunity to stop the free copy from being delivered to their house. For those of you not familiar with the story, you may want to visit the following site:

So far so good. Personally I have no real problem with this. The questionable journalism shown in the immediate aftermath of Hillsborough deserves to be condemned. The demand to stop such free copies from being delivered was clearly there, and Tom Watson – or one of his friends – was able to provide a form that allowed people to send in their details. These details would then be forwarded to the Royal Mail. I had even initially visited the site with the intention of signing up myself.

However in doing all this Tom Watson also displayed a level of hypocrisy that I believe also deserves to be condemned.

He mentions the Printers Imprint Act 1961. This is an obscure law that most people would not even be aware of. He continues with how the law needs to be enforced and how a £50 fine ought to be paid for each copy of the Sun sent out that breaks this law. Unfortunately for Tom Watson however the form provided is completely unprotected. Data is also sent outside the EEA without any protection each time details are submitted. My personal view is that this goes against the Data Protection Act. The DPA is a more fundamental law than the one that Tom Watson used to attack those working at the Sun. If the Sun deserves to be punished for their actions then so does Tom Watson in my opinion.

The website set up for this purpose can be found here:

The form asks the user for their:

  • First name
  • Last name
  • Mobile number
  • Email address
  • Postal address

And then submits them in plain text with no protection whatsoever via a server located in a banana republic like Costa Rica courtesy of a US company outside the reach of UK regulators.

Over 7,000 people have apparently filled out this form.

I sent an email to the ICO inquiring about the legality of such a move. An abridged copy of their response follows:

Thank you for raising your concern with us about the collecting of personal data in connection with a campaign to stop the Sun newspaper from being delivered to individuals who do not want to receive it.

You say that the data capture form is not protected by SSL.

We want to know how organisations are doing when they are handling information rights issues. We also want to improve the way they deal with the personal information they are responsible for. Reporting your concerns to us will help us to do that.

Our role is primarily to consider whether there is an opportunity to improve the practice of the organisations we regulate, not to investigate or provide a formal adjudication on individual concerns.

As you are aware, the seventh data protection principle says that appropriate technical and organisational measures shall be taken against unauthorised processing of personal data and against accidental loss or destruction of, or damage to, personal data.

This means that organisations are under a duty to keep personal information secure. However, the DPA does not specify what action they should take. The DPA recognises that there is no ‘one size fits all’ approach to data security. It is therefore necessary for organisations to adopt a risk-based approach to the level of security required in any particular circumstances. The measures an organisation takes should be appropriate to the nature of the personal data and the harm that could result from a security breach.

The personal data in this case is not ‘sensitive’ in terms of the DPA definition. Neither is it particularly confidential. It does not, for example, include any details of bank accounts or credit card numbers. It is made quite clear what purpose the individual is providing their personal data for and what will happen to it. There is no indication that individuals are being misled in any way about what they are consenting to when they provide their personal data and it is entirely their choice to provide their personal data or not. Nevertheless, any security breach would cause inconvenience at the very least.

It is not entirely clear that Mr Watson is the data controller in this case but in view of the fact that his name appears in connection with the campaign, we will write to him to provide advice about compliance with the seventh principle.

In relation to your concerns about CloudFlare, as this appears to be a US-based company, it is outside the Information Commissioner’s jurisdiction.

We will not be taking any further action in relation to the specific points you raise at this time. However, we will retain details of these matters, to inform our overall view of current internet issues.

I also asked the ICO for their view of exporting data to the US or within the US sphere of influence given recent stories (not just the PATRIOT Act, but also FISAAA as well as the appearance of the complete lack of rights for non-Americans).

They have steadfastly refused to address this question. In addition they appear to have deliberated avoided dealing with the issue of exporting data outside the EEA by making it sound like the company is responsible for the export of data, rather the the person or persons setting up the form and choosing them as the provider. Cloudflare, the service provider that underpins the website in question, has offices in the UK. The website itself lists other UK organisations as users, but the ICO appears to have made zero effort to find out who was responsible for creating the form.

As for not being sensitive, personally I would suggest that somebody at the ICO read this:

It would appear that I’m not the only one to notice the toothless nature of the ICO.

“One of the problems we have got as a community is that if you don’t fine people then they don’t do stuff.”

Martin Sugden, chief executive of security firm Boldon James, takes a dim view of his industry.

A veteran of the security industry, he believes the UK’s Information Commissioner’s Office (ICO) has been lax in punishing those who flout the data protection rules and are failing to deter bad behaviour.

Trawl through the security archive of CBR over the last few months and you would have to agree IT has a security problem.


He believes the office is not as investigative as it should be, and subsequently is “slow to affect things”.

In my case ‘not as investigative as it should be’ would appear to be the same as ‘no investigation whatsoever’. It’s a real shame that we seem to have an ‘independent’ regulator that seems to be more concerned with the impact on the economy amongst other things than actually doing their job.